 Hyperlinking to ‘members only’ pages
Thursday, 21 December 2006
I’ve been asked a question similar to this one a number of times over the last few years:
Our business partner has a “members only” area on their public website and they have given us our very own “access code” in order to gain access to that area. How do we access the “members only” area directly, bypassing their web form which prompts for the “access code”?
Provided your business partner’s website doesn’t bother checking the “HTTP referer” field when the request is made by the client software connecting to them, something as simple as this will do:
<form action="http://someinsecurewebsite.com/" method="post">
<a href="javascript:document.forms[0].submit()">click me, click me</a>
<input name="accesscode" type="hidden" value="abc123" />
</form>
I’m assuming that your business partners URL for the web form is “http://someinsecurewebsite.com/”, the name of their access code field is “accesscode” and that your allocated access code is “abc123″. I’m also assuming that your web page which contains the above code has no other forms and that the client browser has JS enabled.
I won’t comment on what I think of the practice of providing such a weak security mechanism to provide access to restricted areas of public websites. I’ll save that for a future post. But let’s just say that it’s still a popular choice when you only want to discourage the general public from seeing certain sections of your website.
|
